b'               OFFICE OF\n               INSPECTOR\n               GENERAL\n               UNITED STATES POSTAL SERVICE\n\n\n\n\n             Financial Controls Over\n            Automated Postal Centers\n\n         Management Advisory Report\n\n\n\n\n                                              May 17, 2012\n\nReport Number FI-MA-12-007\n\x0c                                                                         May 17, 2012\n\n                                                           Financial Controls Over\n                                                         Automated Postal Centers\n\n                                                       Report Number FI-MA-12-007\n\n\n\nIMPACT ON:\nU.S. Postal Service automated postal       chargebacks more than tripled from the\ncenters (APC) \xe2\x80\x93 a convenient self-         previous month, which amounted to\nservice kiosk, serving as an alternative   27 percent of all chargebacks in\nto the full-service counter \xe2\x80\x93 and the      calendar year 2011. Because of this\ncustomers who use APC services.            recent increase, vast improvements to\n                                           credit card security features, rapidly\nWHY THE OIG DID THE AUDIT:                 growing technology, and the popularity\nTo validate the effectiveness and          of self-service kiosks, we believe the\nsufficiency of system verification         Postal Service should revisit AVS.\ncontrols, such as limiting the number of\ntransactions per card per day, to          WHAT THE OIG RECOMMENDED:\nminimize fraudulent APC credit and         We recommended management\ndebit card purchases and to evaluate       conduct and document a feasibility\nthe effectiveness of internal controls     study and\nover APC stock examinations.                        as appropriate, to reduce the\n                                           number and amount of credit card\nWHAT THE OIG FOUND:                        chargebacks and reduce costs\nControls over APC stock examinations       associated with handling chargebacks.\nwere effective; however, opportunities\nexist for the Postal Service to reduce     WHAT MANAGEMENT SAID:\nfraudulent credit and debit card           Management generally agreed with our\npurchases. Management implemented          recommendation. They will review the\nmany security measures to significantly    level of chargebacks at the end of fiscal\nreduce the number and amount of credit     year 2013 and complete a cost benefit\ncard chargebacks (reversals of             analysis by March 2014. The analysis\npreviously settled transactions). They     will include costs associated with the\ncould further reduce chargebacks and       software that provides print-on-demand\nthe cost of investigating suspicious       stamps at APC kiosks.\ncredit card activity by implementing\n                                           AUDITORS\xe2\x80\x99 COMMENT(S):\n                                           The OIG considers management\xe2\x80\x99s\n                                           comments responsive to the\n                                           recommendation and corrective actions\nManagement did not previously              should resolve the issues identified in\n                because they believed      the report.\nthe security measures in place were\nsufficient. However, in December 2011,     Link to review the entire report\n\x0cDate: May 17, 2012\n\nMEMORANDUM FOR:             KELLY M. SIGMON\n                            VICE PRESIDENT, CHANNEL ACCESS\n\n                            ELIZABETH SCHAFER\n                            TREASURER\n\n\n\n\nFROM:                       John E. Cihota\n                            Deputy Assistant Inspector General\n                             for Financial Accountability\n\nSUBJECT:                    Management Advisory Report \xe2\x80\x93 Financial Controls\n                            Over Automated Postal Centers\n                            (Report Number FI-MA-12-007)\n\nThis report presents the results of our review of the financial controls over automated\npostal centers (Project Number 11BG018FF000).\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Denice Millett, director, Policy\nFormulation and Financial Controls, or me at 703-248-2100.\n\nAttachments\n\ncc: Joseph Corbett\n    Paul Vogel\n    Karen C. Mastervich\n    Corporate Audit and Response Management\n\x0cFinancial Controls Over Automated Postal Centers                                                                        FI-MA-12-007\n\n\n\n                                                 TABLE OF CONTENTS\n\nIntroduction .......................................................................................................................... 1\n\nConclusion ........................................................................................................................... 1\n\nAutomated Postal Centers Security Features .................................................................... 1\n\nChargebacks........................................................................................................................ 3\n\nRecommendation ................................................................................................................ 4\n\nManagement\xe2\x80\x99s Comments .................................................................................................. 5\n\nEvaluation of Management\xe2\x80\x99s Comments ............................................................................ 5\n\nAppendix A: Additional Information..................................................................................... 6\n\n   Background ...................................................................................................................... 6\n\n   Objectives, Scope, and Methodology ............................................................................. 6\n\n   Prior Audit Coverage ....................................................................................................... 7\n\nAppendix B: Management\xe2\x80\x99s Comments ............................................................................. 8\n\x0cFinancial Controls Over Automated Postal Centers                                                            FI-MA-12-007\n\n\n\n\nIntroduction\n\nThis report presents the results of our review of financial controls over automated postal\ncenters (APC) (Project Number 11BG018FF000). Our objectives were to determine\nwhether system verification controls for APCs were in place and sufficient to minimize\nfraudulent credit and debit card purchases and whether internal controls over APC stock\nexaminations were effective. This review addresses financial risk. See Appendix A for\nadditional information about this audit.\n\nThe APC is a self-service, automated retail kiosk placed in retail lobbies to enable\ncustomers to ship packages, mail letters, buy stamps, and pay Post Office\xe2\x84\xa2 box fees.\nThe goal of the APC program is to provide customers with a convenient, self-service\nalternative to the full-service counter. In fiscal year (FY) 2011, 2,492 APC kiosks\ngenerated nearly $545 million in revenue.\n\nConclusion\n\nInternal controls over APC stock examinations were effective; however, we identified\nopportunities to reduce fraudulent credit card purchases related to APC kiosks.\nSpecifically, although the U.S. Postal Service implemented many security measures to\nhelp prevent and detect fraudulent debit and credit card activity and has significantly\nreduced the number of fraudulent credit card transactions and the amount of credit card\nchargebacks since 2009, 1 opportunities exist for management to further reduce credit\ncard chargebacks and other costs associated with investigating suspicious credit card\nactivity. In addition, opportunities exist to reduce costs associated with handling\n                                                                         2\nchargebacks by\n\nManagement did not previously                    because they believed that security\nmeasures already implemented would significantly reduce the number of fraudulent\ncredit card transactions and the amount of fraudulent credit card activity. However,\nbetween November and December 2011, the amount of credit card chargebacks more\nthan tripled to $29,592 and accounted for 27 percent of all chargebacks in 2011.\nBecause of the recent increase in chargeback activity, rapidly growing technology, vast\nimprovements to credit card security features, and the popularity of self-service kiosks,\nwe believe the Postal Service should revisit\n\nAutomated Postal Centers Security Features\n\nAn important factor in controlling fraud is implementing security measures that can\nadapt to the level of risk in each transaction. Since the introduction of kiosks in 1998,\nmanagement has continuously implemented security measures to detect and prevent\ncredit and debit card fraud. Specifically, management initiated a                  ,3\n\n1\n    A chargeback occurs when the financial institution reverses a previously settled credit or debit card transaction.\n2\n    A system used to verify the address of a person claiming to own a credit card.\n3\n\n\n\n\n                                                              1\n\x0cFinancial Controls Over Automated Postal Centers                                               FI-MA-12-007\n\n\n\n\n                                                                                       In\naddition, the Postal Service periodically monitors all credit card activity. For example,\nmanagement has used monitoring to identify transactions\n                                                         anomalies such as transactions\n                                                                          , and activity\nwhere                                                      If suspicious credit card activity\nis identified, management can take immediate action to restrict the user from making\nfurther purchases at the APC.\n\nMost of the risk associated with the APC self-service kiosks rests with credit card\npurchases. Credit card fraud is on the rise, increasing 5 percent between 2009 and\n2010. 4 Debit cards do not present as much risk to merchants as credit cards because\ncustomers must enter a personal identification number (PIN) to complete a purchase\nand the bank limits the debit card purchase to the customer\xe2\x80\x99s available bank balance at\nthe time of the purchase.\n\n\nDuring the audit, the U.S. Postal Service Office of Inspector General (OIG) reviewed the\nfrequency of the stamp stock counts of the APC kiosks and field-tested internal security\ncontrols for credit and debit card transactions for APCs. We judgmentally selected five\nAPC kiosks in the Dallas, TX area and tested the following controls that management\nput in place since first putting the kiosks into service in 1998:\n\n\n\n\nWe reviewed the APC credit examination histories in the Postal Service\xe2\x80\x99s Accounting\nData Mart for October 2009 through September 2010. Based on the items we reviewed,\nthe Postal Service conducted APC stock examinations quarterly, as required. In\naddition, we examined the five internal security measures listed previously and found\nthey were in place and operating as intended.\n\n\n\n4\n  Consumer Reports, \xe2\x80\x9cHouse of Cards: Why Your Accounts Are Vulnerable to Thieves,\xe2\x80\x9d June 2011\n(http://consumerreports.org).\n\n\n                                                      2\n\x0cFinancial Controls Over Automated Postal Centers                                                   FI-MA-12-007\n\n\n\nChargebacks\n\nThe Postal Service reduced the number and amount of credit card chargebacks from\n2009 to 2011. Although management accepts some level of credit card fraud risk with a\nself-service kiosk, we believe they could further diminish credit card chargebacks by\nimplementing additional credit card security measures to prevent loss due to theft or\nfraud from credit cards.\n\nIn 2009, the U.S. Postal Inspection Service (Inspection Service) took over monitoring\ncredit card activity for the Postal Service because they had more resources and the\nauthority to take investigative action. For example, in addition to analyzing for anomalies\nas mentioned previously, the Inspection Service could set up\n\n\n\n\n                           5\n                        of the APC kiosks in areas with known or suspected fraudulent\nactivity. Since 2009, management has seen a significant reduction in chargeback\nactivity, as shown in Table 1.\n\n                                      Table 1: APC Chargebacks\n\n                         Calendar             Number of                  Amount\n                           Year              Chargebacks                Expensed\n                           2009                  8,739                     $316,853\n                           2010                  4,239                      164,748\n                           2011                  3,093                      111,358\n                              Total             16,071                     $592,959\n                      Source: Postal Service Payment Technologies specialist.\n\n\nIn April 2005, the Postal Service Payment Technologies Office contacted major credit\ncard representatives 6 to obtain                     requirements for APC kiosk credit\ncard purchases. The AVS requires purchasers to enter the billing ZIP Code associated\nwith the credit card. Implementing a billing ZIP Code feature could reduce the number of\nfraudulent chargebacks for non-face-to-face transactions by cross-referencing the\ncardholder\xe2\x80\x99s billing ZIP Code information with the card issuer\xe2\x80\x99s records. In addition,\n\n                                                        The AVS billing address ZIP\nCode security feature is already in use in other businesses such as gas stations, retail\nmerchants, and some fast food restaurants.\n\n5\n\n\n\n\n The major credit card companies \xe2\x80\x93 American Express; Discover Financial Services; JCB International Credit Card\nCompany, Ltd.; MasterCard Worldwide; and Visa International \xe2\x80\x93 founded the Payment Card Industry Security\nStandards Council in 2006.\n\n\n                                                        3\n\x0cFinancial Controls Over Automated Postal Centers                               FI-MA-12-007\n\n\n\n\nSubsequent to April 2005, the Postal Service decided to                          for APCs;\nhowever, limited resources and other priorities within the Treasury office kept\n                                                     was canceled because management\nand the Inspection Service believed the security measures already implemented would\nsufficiently address chargeback fraud. The                   who was advising the APC\nprogram office believed\n                                                          only consider it a slight\ninconvenience to input ZIP Codes if the approval required it. We were unable to discuss\nthe issue with the manager who made the ultimate decision to\n\n\n\n                      the decision not to                and could not provide any\nwritten documentation of research or analysis to support the decision. We held\ndiscussions with a field postal inspector working APC credit card fraud who believes\nthat AVS could reduce credit card fraud further.\n\n\n\n\nAlthough management previously decided not to                      in December 2011\ncredit card chargebacks more than tripled from the previous month to $29,592 and\naccounted for 27 percent of all chargebacks in calendar year 2011. In addition, APC\nmanagement is currently upgrading key components of the existing APC kiosks to\nconvert them from dispensing stamp sheetlets to printing on-demand Forever Postage\nstamps. Additionally, management plans to obtain an additional 300 kiosks from the\ncurrent supplier. Because of the recent increase in chargeback activity, unavailable\ndocumentation to support the decision not to                   rapidly growing\ntechnology, vast improvements to credit card security features, and the popularity of\nself-service kiosks, we believe the Postal Service should revisit\nManagement should specifically address AVS and other related payment technology\nverifications that may be available and determine any cost savings that could be\navailable with new technology, and the costs associated with implementing such\ntechnology. A written cost-benefit analysis should include opportunities to further reduce\nchargebacks and potential opportunities to reduce the cost associated with chargeback\nactivities.\n\nRecommendation\n\nWe recommend the vice president, Channel Access, coordinate with the treasurer, to:\n\n1. Conduct and document a feasibility study and implement, as appropriate, Address\n   Verification System security features to reduce the number and amount of credit\n   card chargebacks and reduce costs associated with handling chargebacks.\n\n\n\n\n                                                   4\n\x0cFinancial Controls Over Automated Postal Centers                                FI-MA-12-007\n\n\n\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with the finding and recommendation. They stated they will review\nthe level of chargebacks at the end of FY 2013 and determine by March 2014 if a full\ncost-benefit analysis is required. In addition, the delay until March 2014 will enable\nmanagement to better identify costs associated with the new retail software that will\nallow print-on-demand stamps at APC kiosks.\n\nManagement expressed concern related to the report\xe2\x80\x99s conclusion that reduced\nchargebacks will result in reduced monitoring costs. In addition, they noted other\nstatements that were inaccurate or could be misleading, including that management\ncannot cancel debit or credit cards that have been misused; many types of cards, not\njust prepaid Visa\xc2\xae cards, have restrictions on use; the AVS technology inherently limits\nthe problem                                                                  and the\nTreasury office decided                      after April 2005. Management also stated\nthat checking cards against user identification is against some card issuer rules.\n\nSee Appendix B for management\xe2\x80\x99s comments in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe OIG considers management\xe2\x80\x99s comments responsive to the recommendation and\ncorrective actions should resolve the issues identified in the report.\n\nWe clarified the report to address management\xe2\x80\x99s concerns. Specifically, we removed all\nreferences to costs associated with monitoring as well as the implication that Visa\xc2\xae is\nthe only card with restrictions. We clarified the Postal Service\xe2\x80\x99s ability to cancel a card\nthat has been misused,\n\n\n\n\n                                                   5\n\x0cFinancial Controls Over Automated Postal Centers                               FI-MA-12-007\n\n\n\n                             Appendix A: Additional Information\n\nBackground\n\nBefore 1998, the Postal Service provided self-service kiosks for customers to purchase\nstamps. In 1998, Postal Service management expanded and strengthened this service\nby implementing a self-service platform that evolved into the APC kiosk. The APCs give\ncustomers access to the most frequently needed products and services up to 24 hours\na day, 7 days a week, using a touch screen that shows customers the available\nservices, products, and information available. All self-service kiosks accept debit and\ncredit cards as a form of payment. Currently, the Postal Service has placed 2,492 APC\nkiosks in retail lobbies nationwide.\n\nMerchants who accept credit cards must determine what form or forms of verification\nthey will use to ensure that only authorized cardholders make credit card purchases.\nThe most conventional form of verification is a signature the merchant collects so that\nthe credit card company can verify it for authentication in the event of a fraud claim. In\naddition,\n                                                                    The APC was\ndesigned to be an unmanned kiosk allowing customers to complete transactions without\nassistance.\n\n\n\n\nObjectives, Scope, and Methodology\n\nOur objectives were to determine whether system verification controls for APCs were in\nplace and sufficient to minimize fraudulent credit and debit card purchases and if\ninternal controls over APC stock examinations were effective. We conducted this review\nfrom August 2011 through May 2012 in accordance with the Council of the Inspectors\nGeneral on Integrity and Efficiency, Quality Standards for Inspection and Evaluation.\nWe reviewed counts of the APC storage repository and kiosk inventories generated\nfrom October 2009 through September 2010. We conducted on-site field testing of APC\nsystem controls during September and October 2011. We interviewed Postal Service\nofficials to determine roles and responsibilities and obtained information related to APC\nchargebacks. We reviewed applicable Postal Service policies. We discussed our\nobservations and conclusions with management on February 7, 2012, and included\ntheir comments where appropriate.\n\n\n7\n\n\n\n\n                                                   6\n\x0cFinancial Controls Over Automated Postal Centers                                  FI-MA-12-007\n\n\n\nWe assessed the reliability of computer-generated data from the Accounting Data Mart,\nBank of America\xc2\xae Merchant System, American Express, and Discover Network for\nobtaining chargeback data. We used various data analysis techniques to perform\nspecific internal control and transaction tests. We determined that the data were\nsufficiently reliable for the purposes of this report.\n\nPrior Audit Coverage\n\nThe OIG did not identify any prior audits or reviews related to the objective of this audit.\n\n\n\n\n                                                   7\n\x0cFinancial Controls Over Automated Postal Centers               FI-MA-12-007\n\n\n\n\n                           Appendix B: Management\xe2\x80\x99s Comments\n\n\n\n\n                                                   8\n\x0cFinancial Controls Over Automated Postal Centers       FI-MA-12-007\n\n\n\n\n                                                   9\n\x0cFinancial Controls Over Automated Postal Centers        FI-MA-12-007\n\n\n\n\n                                                   10\n\x0c'